metamorpherrat | 93a8a14bbf42e8a7bee6ab857932894988996d25a3e491b6ef4323914b1e3d9e

General

Target

0cd87830a30b703bdeba484aa1303bc0N.exe
Size

78KB
MD5

0cd87830a30b703bdeba484aa1303bc0
SHA1

3ce059f09cc9478f1dca1a00b01d121c05ccbb03
SHA256

93a8a14bbf42e8a7bee6ab857932894988996d25a3e491b6ef4323914b1e3d9e
SHA512

d152dacf25c9e1a6f92c06f6a108393fdb4d4b164eca9c62a5843143b9ffade5b658fb33e51093ccbfbe481b8b57976a6f7a3b9e148be626893dd600d5dccaf8
SSDEEP

1536:H/V58xAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtP6W9/p1K6:fV58xAtWDDILJLovbicqOq3o+nr9/p

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat
Executes dropped EXE 1 IoCs

Processes:

tmp8EE7.tmp.exe

pid process

2552 tmp8EE7.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

0cd87830a30b703bdeba484aa1303bc0N.exe

pid process

2948 0cd87830a30b703bdeba484aa1303bc0N.exe
2948 0cd87830a30b703bdeba484aa1303bc0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2552	tmp8EE7.tmp.exe

pid	process
2948	0cd87830a30b703bdeba484aa1303bc0N.exe
2948	0cd87830a30b703bdeba484aa1303bc0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp8EE7.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8EE7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0cd87830a30b703bdeba484aa1303bc0N.exevbc.execvtres.exetmp8EE7.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cd87830a30b703bdeba484aa1303bc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8EE7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0cd87830a30b703bdeba484aa1303bc0N.exetmp8EE7.tmp.exe

description pid process

Token: SeDebugPrivilege 2948 0cd87830a30b703bdeba484aa1303bc0N.exe
Token: SeDebugPrivilege 2552 tmp8EE7.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2948	0cd87830a30b703bdeba484aa1303bc0N.exe
Token: SeDebugPrivilege	2552	tmp8EE7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0cd87830a30b703bdeba484aa1303bc0N.exevbc.exe

description	pid	process	target process
PID 2948 wrote to memory of 2288	2948	0cd87830a30b703bdeba484aa1303bc0N.exe	vbc.exe
PID 2948 wrote to memory of 2288	2948	0cd87830a30b703bdeba484aa1303bc0N.exe	vbc.exe
PID 2948 wrote to memory of 2288	2948	0cd87830a30b703bdeba484aa1303bc0N.exe	vbc.exe
PID 2948 wrote to memory of 2288	2948	0cd87830a30b703bdeba484aa1303bc0N.exe	vbc.exe
PID 2288 wrote to memory of 2532	2288	vbc.exe	cvtres.exe
PID 2288 wrote to memory of 2532	2288	vbc.exe	cvtres.exe
PID 2288 wrote to memory of 2532	2288	vbc.exe	cvtres.exe
PID 2288 wrote to memory of 2532	2288	vbc.exe	cvtres.exe
PID 2948 wrote to memory of 2552	2948	0cd87830a30b703bdeba484aa1303bc0N.exe	tmp8EE7.tmp.exe
PID 2948 wrote to memory of 2552	2948	0cd87830a30b703bdeba484aa1303bc0N.exe	tmp8EE7.tmp.exe
PID 2948 wrote to memory of 2552	2948	0cd87830a30b703bdeba484aa1303bc0N.exe	tmp8EE7.tmp.exe
PID 2948 wrote to memory of 2552	2948	0cd87830a30b703bdeba484aa1303bc0N.exe	tmp8EE7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe
"C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\duh3jati.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90CB.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2532

C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES90CC.tmp
Filesize
1KB

MD5
e5d9abacac08a3dd76bb23b947a541eb

SHA1
daea68219201f44aabaf5d6ca8e1672815bf0808

SHA256
b8804ce8cd49451f13e6f72697ba2d1dca185d623ac01628aa50e3bed93ab597

SHA512
8be36b11c73d48c6ce3ff162bb9c77ce7cf99a4072df0d6cfd4cf62fa0f8bcf4a36624c3bd89ae46ba661fae31167e19b280479846c33af7a7e51eb9f6da7d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\duh3jati.0.vb
Filesize
14KB

MD5
5121182d695f6ebd7dde4381a1c0771d

SHA1
1132ace86cef8dfcdfc07766a14606ff5ca5536d

SHA256
3e3fe7c0343e92e7d0e4bfab40f2407ee2eb0218cdf6653f2f35a0ab30f6eb45

SHA512
645e5ff5bf49e9daf69257557fdb97441011a1cc1884d90db73dd68a5c1dd6c2eaff63a965f13a95575981349527c23b5b35865daca56281a4b06d80d6c40501

Download Submit
C:\Users\Admin\AppData\Local\Temp\duh3jati.cmdline
Filesize
266B

MD5
c4bf374c274506f6a6adcfb05bcdd51d

SHA1
3b389b6447afd65d640c1094185df4a06c4ffa2d

SHA256
4c1e013ca3b3b89772bf374aded6eac6e87e89a3564a64ce84f8b18b4de43f0d

SHA512
02e5927ccd526d193698b561e805bfda6531ca3628bbdc7c32bb54e4e664b25f8a7e1979fa248a4c5ca6b37cecbbe2bba3d282fd92a94531756f5ff3c5d6ecc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe
Filesize
78KB

MD5
3f36e702f4b5c23ab6ae0c3d4fe0644d

SHA1
cbe1015762d755c2bb651225d6f663713e6f1428

SHA256
4676f2c9eae9ef8c9c2e3410fc236ac01d6b7ab7cab3454aeec217585cb82c9a

SHA512
b66eab3e889fe86c497d9f86b7c222acddef9c01aff09fa36dc6e43bf94028ebdc4614b83e896ee759e3903a5c875f0af0b9690bd084473d69659f2244bfbdbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc90CB.tmp
Filesize
660B

MD5
23622f3c021eb50ae7c2f5bc0477086c

SHA1
4429c9d7b40a55ae5da0d0deb4b644f0b78fb019

SHA256
189f4a7a281dba6ce0ccf578041fa98f9fc03c3ba2d853906957e272d9332ea4

SHA512
478c0de7a36f8060fa3e0af2b11deb00b34abd4f50453267a6c4cbfd20994c3cf9005aced50ed2c19b1659bfedf0aac70106670cffb8249e6ada54ca9cd5a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2288-8-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2288-18-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-0-0x0000000073E41000-0x0000000073E42000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-2-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-24-0x0000000073E40000-0x00000000743EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads